HackerTrans
TopNewTrendsCommentsPastAskShowJobs

qcontinuum1

no profile record

Submissions

Chrome extensions spying on users' browsing data

qcontinuum.substack.com
474 points·by qcontinuum1·5 เดือนที่ผ่านมา·205 comments

[untitled]

1 points·by qcontinuum1·5 เดือนที่ผ่านมา·0 comments

[untitled]

1 points·by qcontinuum1·5 เดือนที่ผ่านมา·0 comments

comments

qcontinuum1
·5 เดือนที่ผ่านมา·discuss
Thank you. We are very glad to see the discussion that the report has sparked and and also glad to see the feedback on it. It means a lot to us.

> 1- how large your team is? and how long this research took? it is very thorough and knowing such a detail might encourage others to participate in a joint effort in performing this kind of research

The group is not very large and it took a few months of non-continuous work.

> 2- if this kind of research is your primary focus?

At the moment it is not very clear if we will do followup on this topic or not as explained in different comment. At the moment yes, the group is new.

> 3- if there are other ways that financial support can be provided other than through xrp or btc?

No, at the moment. We would like to remain anonymous, at least for now.
qcontinuum1
·5 เดือนที่ผ่านมา·discuss
It is a noble idea to have a community driven effort in security research. We are sceptical that would work. The same way security researchers will read this thread in future bad actors (e.g. Similarweb) can read as well.

Any tool that would be open sourced or community driven for extension scanning will be with enough time used by bad actors to evade the scans. That is also why we don't share the code for this research as it would only speed up this process.
qcontinuum1
·5 เดือนที่ผ่านมา·discuss
> So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?

We might to it once. That requires non-trivial engineering effort and resources and we are at the moment short on both of those.
qcontinuum1
·5 เดือนที่ผ่านมา·discuss
15 years ago was probably this type of business in its very early stage. There is little that can be done about "selling" extensions. Chrome Web Store should have tighter checks and scans to minimize this type of data exfiltration.
qcontinuum1
·5 เดือนที่ผ่านมา·discuss
We beg to differ. Consider for example "BlockSite Block Websites and Stay Focused" why would you need to send browsing data to remote server if your job is only to block selected domains?
qcontinuum1
·5 เดือนที่ผ่านมา·discuss
We were hoping to see that as well. There might be v2 of this research ;)
qcontinuum1
·5 เดือนที่ผ่านมา·discuss
Without any doubt the research could continue on this. We had many opportunities to make the scan even wider and almost certainly we would uncover more extensions. The number of leaking extensions should not be taken as definite.

There are resource constrains. Those extensions try to actively detect if you are in developer mode. Took us a while to avoid such measures and we are certain we missed many extensions due to for example usage of Docker container. Ideally you want to use env as close to the real one as possible.

Without infrastructure this doesn't scale.

The same goes for the code analysis you have proposed. There are already tools that do that (see Secure Annex). Often the extensions download remote code that is responsible for data exfiltration or the code is obfuscated multiple times. Ideally you want to run the extension in browser and inspect its code during execution.